Localization based on network of wireless nodes

ABSTRACT

A wireless node for use in a network of wireless nodes, for performing a localization to determine a location of a mobile device based on respective beacon signals transmitted wirelessly between the mobile device and each of a plurality of the wireless nodes. The first wireless node is configured to: wirelessly transmit or receive the respective beacon signal for use in determining the location of the mobile device; and wirelessly transmit information vouching for one or more others of the wireless nodes as being trusted for use in the localization. This information is transmitted to a device performing the localization (e.g. the mobile device), for use in identifying one or more rogue versions of said wireless nodes.

TECHNICAL FIELD

The present disclosure relates to the identification of rogue nodes in anetwork of wireless reference nodes emitting beacon signals used forlocalization.

BACKGROUND

In an indoor positioning system, the location of a wireless device suchas a mobile user terminal can be determined with respect to a locationnetwork comprising multiple anchor nodes, sometimes also referred to asbeacon nodes or reference nodes. These anchors are wireless nodes whoselocations are known a priori, typically being recorded in a locationdatabase which can be queried to look up the location of a node. Theanchor nodes thus act as reference nodes for localization. Measurementsare taken of the signals transmitted between the mobile device and aplurality of anchor nodes, for instance the RSSI (receiver signalstrength indicator), ToA (time of arrival) and/or AoA (angle of arrival)of the respective signal. Given such a measurement from three or morenodes, the location of the mobile terminal may then be determinedrelative to the location network using techniques such as trilateration,multilateration or triangulation. Given the relative location of themobile terminal and the known locations of the anchor nodes, this inturn allows the location of the mobile device to be determined in moreabsolute terms, e.g. relative to the globe or a map or floorplan.

Another localization technique is to determine the location of mobiledevice based on a “fingerprint” of a known environment. The fingerprintcomprises a set of data points each corresponding to a respective one ofa plurality of locations in the environment in question. Each data pointis generated during a training phase by taking a measurement of thesignals received from any reference nodes that can be heard at therespective location (e.g. a measure of signal strength such as RSSI) andstoring this in a location server along with the coordinates of therespective location. The data point is stored along with other such datapoints in order to build up a fingerprint of the signal measurements asexperienced at various locations within the environment. Once deployed,the signals measurements stored in the fingerprint can then be comparedwith signal measurements currently experienced by a mobile user devicewhose location is desired to be known, in order to estimate the locationof the mobile device relative to the corresponding coordinates of thepoints in the fingerprint. For example this may be done by approximatingthat the device is located at the coordinates of the data point havingthe closest matching signal measurements, or by interpolating betweenthe coordinates of a subset of the data points having signalmeasurements most closely matching those currently experienced by thedevice. The fingerprint can be pre-trained in a dedicated training phasebefore the fingerprint is deployed by systematically placing a testdevice at various different locations in the environment. Alternativelyor additionally, the fingerprint can built up dynamically by receivingsubmissions of signal measurements experienced by the actual devices ofactual users in an ongoing training phase.

As well as indoor positioning, other types of positioning system arealso known, such as GPS or other satellite-based positioning systems inwhich a network of satellites acts as the reference nodes. Given signalmeasurements from a plurality of satellites and knowledge of thosesatellites' positions, the location of the mobile device may bedetermined based on similar principles.

The determination of the mobile device's location may be performedaccording to a “device-centric” approach or a “network-centric”approach. According to a device centric approach, each reference nodeemits a respective signal which may be referred to as a beacon orbeaconing signal. The mobile device takes measurements of signals itreceives from the anchor nodes, obtains the locations of those nodesfrom the location server, and performs the calculation to determine itsown location at the mobile device itself. According to a network-centricapproach on the other hand, the anchor nodes are used to takemeasurements of signals received from the mobile device, and an elementof the network such as the location server performs the calculation todetermine the mobile device's location. Hybrid or “assisted” approachesare also possible, e.g. where the mobile device takes the rawmeasurements but forwards them to the location server to calculate itslocation.

One application of a positioning system is to automatically provide awireless mobile device with access to control of a utility such as alighting system, on condition that the mobile device is found to belocated in a particular spatial region or zone associated with thelighting or other utility. For instance, access to control of thelighting in a room may be provided to a wireless user device oncondition that the device is found to be located within that room andrequests access. Once a wireless user device has been located anddetermined to be within a valid region, control access is provided tothat device via a lighting control network. Other examples of locationbased services or functionality include indoor navigation,location-based advertising, service alerts or provision of otherlocation-related information, user tracking, asset tracking, or takingpayment of road tolls or other location dependent payments.

SUMMARY

Location-based services are emerging rapidly and are expected to have agreat impact. However, newly emerging positioning techniques such asthose based on Wi-Fi, ZigBee or Bluetooth are more prone to spoofing byrogue beacon or anchor nodes. The reliability and authenticity oflocation based services depends on the ability to calculate a device'strue position even in the presence of such rogue nodes. The followingprovides techniques for identifying and overcoming the presence of roguenodes so that the true location of a mobile device may be calculatedwith a certain assurance, or at least to detect attempts to hinderlocalization by rogue nodes. This is achieved by configuring one or moreother wireless reference nodes, in addition to their primary function ofbeaconing, to wirelessly transmit (e.g. broadcast) information vouchingfor other nodes they know or trust.

According to one aspect disclosed herein, there is provided firstwireless node for use in a network of wireless nodes, for performing alocalization to determine a location of a mobile device based onrespective beacon signals transmitted wirelessly between the mobiledevice and each of a plurality of the wireless nodes. The first wirelessnode is configured to wirelessly transmit or receive the respectivebeacon signal for use in determining the location of the mobile device.Further, the first wireless node is configured to wirelessly transmitinformation vouching for one or more others of the wireless nodes, i.e.identifying these one or more other nodes as being trusted for use inthe localization. This information is transmitted to a device performingthe localization, for use in identifying one or more rogue versions ofsaid wireless nodes.

The information vouching for the one or more other nodes may betransmitted on the same channel as used to transmit or receive thebeacon signal (e.g. a local RF channel using a technology such as Wi-Fi,ZigBee or Bluetooth).

Alternatively, in embodiments, the information vouching for the one ormore other nodes may be transmitted “out-of-band”, i.e. on analternative channel. That is, the first node comprises a first interfaceconfigured to transmit or receive the respective beacon signal on afirst wireless channel, and a second interface configured to transmitsaid information vouching for the other wireless nodes on a secondchannel different than the first channel. The first and secondinterfaces may be different physical interfaces or may share some or allof the same physical front-end hardware, but either way are configuredto transmit on two distinct channels wherein either: (a) the secondchannel is on a different frequency than the first channel, (b) thesecond channel uses a different radio access technology than the firstchannel, and/or (c) the second channel uses a different medium than thefirst channel (i.e. different types of carrier, e.g. different regionsof the electromagnetic spectrum, or even different types or radiation).Thus, although an attacker may spoof location signals on the firstchannel, the attacker may find it more difficult or costly to introducethe alternative technology used for the second channel into theenvironment in question (e.g. it would require different equipment,different skills and/or more time); or the attacker may even be unawareof the second channel's existence in the environment. Hence the secondchannel may provide an additional degree of trust when performinglocalization.

If the second channel is used, preferably it uses a technology requiringa line-of-sight between the mobile device and the first wireless node(while the first channel does not necessarily), or the second channel issubstantially shorter range than the first channel (requires immediatephysical proximity between the mobile device and the second wirelessnode, while the first channel does not). In such embodiments, the visualor physical proximity provides an additional degree of trust (e.g. tospoof the second channel would require equipment to introduced be intolocations that are difficult for the attacker to access or where itwould be difficult to reliably conceal the equipment).

In embodiments the first channel may be a radio channel, e.g. usingWi-Fi, ZigBee or Bluetooth. The information identifying the vouched-forother node(s) may be transmitted on this same first channel, or on analternative second channel. E.g. at least the first node may beincorporated with a respective luminaire and the second channel may usecoded light embedded in illumination emitted by the luminaire.Alternatively the second channel may use a near-field radio technology(such as used in RFID tags or the like), incorporated into a nodedisposed at a convenient place in the environment such that the user cantouch or swipe it with his or her mobile device.

Regardless of the channel over which the vouching is implemented, inembodiments the first wireless node may vouch for all the other nodes inthe network, or may vouch for only subset of the wireless nodes that aretrusted and within a predetermined proximity of said first node. E.g.the subset may comprise ones of the wireless nodes that are trusted andwithin a predetermined proximity along a predicted navigation path ofthe mobile device.

In embodiments, each of the nodes or at least some of the nodes areconfigured in a similar manner to the first node.

The techniques may be applied in either a device centric, networkcentric or assisted scenario. Hence in embodiments the device performingthe localization is the mobile device which receives said informationvia a receiver of the mobile device, or the device performing thelocalization is a location server which receives said information via asecond one of said wireless nodes or via the mobile device.

In embodiments where the second channel is used, this may be for thesole purpose of the vouching, or alternatively the second channel may bealso used for one or more additional purposes. For example in a devicecentric case, or an assisted case where the location server receivesinformation via the mobile device; then as well as transmitting theinformation vouching for the one or more other nodes, the first wirelessnode may additionally use the second channel to transmit an identifier(e.g. SSID) of the network to be used to perform the localization, whichthe mobile device may require to identify or connect to the relevantnodes). Alternatively or additionally, as another example, the firstwireless node may additionally use the second channel to transmit alocation of the first wireless node. The first node's location may thenbe used by the mobile device or location server to verify saidlocalization, i.e. the mobile device or location server can checkwhether the localization calculation performed using the beacon signalsover the first channel is consistent with the location of the first nodeas reported over the second channel. And/or, the first node's locationmay be used to obtain an initial fix of the mobile devices' locationbefore continuing to track the mobile device's location based on saidlocalization. For instance if the second channel is implemented by an RFtag that the mobile device touches or swipes against, it can be assumedthe mobile device's location is that of the first node; or if the firstnode is a luminaire and the second channel is based on coded light, itmay be determined that the mobile device is approximately in thevicinity of that luminaire (e.g. standing beneath it) when receiving thecoded light.

In embodiments where the vouching information is sent on the same, firstchannel as the beacon signal; a second channel of the kind discussedabove may optionally still be used for another purpose such as forauthenticating the information sent on the first channel. In this case,the information vouching for the one or more other nodes is transmittedby the first wireless node in a form that is encrypted or signed with adigital signature, and the first wireless node is configured to use thesecond channel to make available a public key for decrypting theencryption or a certificate for verifying the digital signature on thesecond channel.

According to another aspect disclosed herein, there is provided a mobiledevice for use in a network of wireless nodes, for performing alocalization to determine a location of the mobile device based onrespective beacon signals transmitted wirelessly between the mobiledevice and each of a plurality of the wireless nodes. The mobile devicecomprises one or more wireless interfaces configured to wirelesslytransmit or receive the respective beacon signals for use in determiningthe location of the mobile device, and to wirelessly receive informationfrom a first one of the wireless nodes vouching for one or more othersof the wireless nodes as being trusted for use in said localization. Themobile device further comprises a location module configured to performsaid localization, and a security module configured to identify one ormore rogue versions of said wireless nodes based on said information.

According to a further aspect disclosed herein, there is provided asystem comprising a network of wireless nodes, for performing alocalization to determine a location of a mobile device based onrespective beacon signals transmitted wirelessly between the mobiledevice and each of a plurality of the wireless nodes. The system furthercomprises the mobile device and/or a location server. Each of thewireless nodes is configured to wirelessly transmit a respective reportvouching for one or more others of the wireless nodes as being trustedfor use in said localization, and either the mobile device is configuredto receive one or more of said reports via a receiver of the mobiledevice, or the location server is configured to receive the reports viaat least one receiving one of said wireless nodes. Further, the mobiledevice or location server comprises a location module configured toperform said localization, and a security module configured to identifyone or more rogue versions of said wireless nodes based on saidinformation.

In embodiments, the security module is configured to exclude theidentified rogue nodes from use in said localization, or given them alower weighting compared to any vouched-for nodes that are used.Alternatively or additionally, the security module may be configured toreport the identified rogue nodes to a location server or otheradministrative entity (a terminal or server of an administrator oroperator).

In further embodiments, the system comprises a transmitter arranged totransmit to the mobile device over a second channel of the kinddiscussed above, and this second channel may be used to provideadditional functionality to support the localization. This transmittercould be implemented in one of the wireless nodes; or could be aseparate transmitter placed at a convenient point in the environmentsuch as an entry point to the room, building or other zone in which saidwireless nodes are disposed, such that the mobile device can receive thetransmission over the second channel when (and preferably only when) itpasses the entry point. For example the second channel may beimplemented by an RF tag disposed at an entrance to the room, buildingor zone, so that the user can swipe or touch his or her device againstthe tag upon entry; or may be implemented by a luminaire emitting codedlight near the entrance.

For instance, such a second channel may be used to transmit an initialreport vouching for an initial group of said wireless nodes. In a devicecentric case where the location module is comprised in the mobiledevice, or in an assisted case where the location module is comprised inthe location server but receives the initial report via the mobiledevice, then the location module can ensure that the first time itperforms a localization in a given environment it only uses therespective beacon signals of ones of those wireless nodes that arevouched for in the initial report. E.g. the mobile device receives theinitial list of trusted nodes when it first enters a room, building orzone; and from that point onward this creates a chain of trust each timeit performs a localization operation in that room, building or zone(each time only using nodes that have been vouched for by the initialreport or other, previously vouched-for nodes).

Alternatively or additionally, in another example, the respectivevouching reports from the wireless nodes are transmitted on the same,first channel as the beacon signals; and these reports are transmittedby each of the wireless nodes in a form that is encrypted or signed witha digital signature. In such an arrangement, the second channel may beconfigured to transmit a public key for decrypting the encryption or acertificate for verifying the digital signature. In a device centriccase where the security module is comprised in the mobile device, or inan assisted case where the security module is comprised in the locationserver but receives the public key or certificate via the mobile device,then the security module can use the public key or certificate asreceived over the second channel to decrypt the encryption or verify thedigital signature respectively. E.g. the mobile device receives thecertificate or key when it first enters a room, building or other zone;and from that point onwards it can trust any signed reports from nodesin the room, building or zone.

According to a further aspect disclosed herein, there is provided acomputer program product for performing a localization to determine alocation of a mobile device based on measurements of a respective beaconsignal transmitted wirelessly between the mobile device and each of aplurality of the wireless nodes in a network of wireless nodes. Thecomputer-program product comprises code embodied on at least onecomputer-readable medium, and configured so as when retrieved and/ordownloaded and executed on one or more processors to perform operationsof the first node, mobile device or location server in accordance withany of the embodiments herein.

BRIEF DESCRIPTION OF THE DRAWINGS

To assist the understanding of the present disclosure and to show howembodiments may be put into effect, reference is made by way of exampleto the accompanying drawings in which:

FIG. 1 is a schematic representation of an environment comprising anindoor positioning system,

FIG. 2 is a schematic block diagram of a system for providing a locationbased service,

FIG. 3 is a schematic block diagram of system in which one node vouchesfor one or more others,

FIG. 4 is a schematic block diagram of a wireless reference node andlocation server,

FIG. 5 is a schematic block diagram of a mobile terminal, and

FIG. 6 is a schematic representation of an environment comprising anindoor positioning system and separate transmitter.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 illustrates an example of a positioning system installed in anenvironment 2 according to embodiments of the present disclosure. Theenvironment 2 may comprise an indoor space comprising one or more rooms,corridors or halls, e.g. of a home, office, shop floor, mall,restaurant, bar, warehouse, airport, station or the like; or an outdoorspace such as a garden, park, street, or stadium; or a covered spacesuch as a gazebo, pagoda or marquee; or any other type of enclosed, openor partially enclosed space such as the interior of a vehicle. By way ofillustration, in the example of FIG. 1 the environment 2 in questioncomprises an interior space of a building.

The positioning system comprises a location network 4, comprisingmultiple reference nodes in the form of anchor nodes 6 each installed ata different respective fixed location within the environment 2 where thepositing system is to operate. For the sake of illustration FIG. 1 onlyshows the anchor nodes 6 within a given room, but it will be appreciatedthat the network 4 may for example extend further throughout a buildingor complex, or across multiple buildings or complexes. In embodimentsthe positioning system is an indoor positioning system comprising atleast some anchor nodes 6 situated indoors (within one or morebuildings), and in embodiments this may be a purely indoor positioningsystem in which the anchor nodes 6 are only situated indoors. Though inother embodiments it is not excluded that the network 4 extends indoorsand/or outdoors, e.g. also including anchor nodes 6 situated across anoutdoor space such as a campus, street or plaza covering the spacesbetween buildings.

In yet further embodiments the reference nodes 6 need not necessarily beinstalled at fixed locations or be dedicated anchor nodes of an indoorpositioning system, as long as their locations can still be known. Forexample the reference nodes could instead be access points 12 of a WLANor base stations of a cellular network used for a secondary purpose ofpositioning, or could be other mobile devices that have already been, oreven satellites of a satellite based positioning system. The followingwill be described in terms of the reference nodes 6 being anchor nodesof an indoor positioning system or the like, but it will be appreciatedthis is not necessarily the case in all possible embodiments. Also,while the disclosure is described in terms of wireless radios, thedisclosed techniques may be applied to other modalities such as visiblelight, ultrasound or other acoustic waves, etc.

The environment 2 is occupied by a user 10 having a wireless device 8disposed about his or her person (e.g. carried or in a bag or pocket).The wireless device 8 takes the form of a mobile user terminal such as asmart phone or other mobile phone, a tablet, or a laptop computer. At agiven time, the mobile device 8 has a current physical location whichmay be determined using the location network 4. In embodiments, it maybe assumed that the location of the mobile device 8 is substantially thesame as the location of the user 10, and in determining the location ofthe device 8 it may in fact be the location of the user 10 that is ofinterest. Another example would be a mobile tracking device disposedabout a being or object to be tracked, e.g. attached to the object orplaced within it. Examples would be a car or other vehicle, or a packingcrate, box or other container. The following will be described in termsof a mobile user device but it will be understood this is notnecessarily limiting in all embodiments and most generally the device 8may be any wireless device having the potential to be found at differentlocations or an as-yet unknown location to be determined. Further, thelocation of the mobile device 8 may be referred to interchangeably withthe location of the associated user 12, being or object about which itis disposed.

Referring to FIGS. 1 and 2, the environment 2 also comprises at leastone wireless access point or router 12 enabling communication with alocation server 14 (comprising one or more server units at one or moresites). The one or more wireless access points 12 are placed such thateach of the anchor nodes 6 is within wireless communication range of atleast one such access point 12. The following will be described in termsof one access point 12, but it will be appreciated that in embodimentsthe same function may be implemented using one or more access points 12and/or wireless routers distributed throughout the environment 2. Thewireless access point 12 is coupled to the location server 14, whethervia a local connection such as via a local wired or wireless network, orvia a wide area network or internetwork such as the Internet. Thewireless access point 12 is configured to operate according to ashort-range radio access technology such as Wi-Fi, Zigbee or Bluetooth,using which each of the anchor nodes 6 is able to wirelessly communicatevia the access point 12 and therefore with the location server 14.Alternatively it is not excluded that the anchor nodes 6 could beprovided with a wired connection with the location server 14, but thefollowing will be described in terms of a wireless connection via anaccess point 12 or the like.

The mobile device 8 is also able to communicate via the wireless accesspoint 12 using the relevant radio access technology, e.g. Wi-Fi, Zigbeeor Bluetooth, and thereby to communicate with the location server 14.Alternatively or additionally, the mobile device 8 may be configured tocommunicate with the location server 14 via other means such as awireless cellular network such as a network operating in accordance withone or more 3GPP standards. Furthermore, the mobile device 8 is able tocommunicate wirelessly with any of the anchor nodes 6 that happen to bein range. In embodiments this communication may be implemented via thesame radio access technology as used to communicate with the accesspoint 12, e.g. Wi-Fi, Zigbee or Bluetooth, though that is notnecessarily the case in all possible embodiments, e.g. the anchor nodes6 may alternatively broadcast to the mobile device 8 on some dedicatedlocalization radio technology.

Generally any of the communications described in the following may beimplemented using any of the above options or others for communicatingbetween the respective entities 6, 8, 12, 14 and for conciseness thevarious possibilities will not necessarily be repeated each time.

The signals between the anchor nodes 6 and the mobile device 8 are thesignals whose measurements are used to determine the location of themobile device 8. In a device centric approach the anchor nodes 6 eachbroadcast a signal and the mobile device 8 listens, detecting one ormore of those that are currently found in range and taking a respectivesignal measurement of each. Each anchor node 6 may be configured tobroadcast its signal repeatedly, e.g. periodically (at regularintervals). The respective measurement taken of the respective signalfrom each detected anchor node 6 may for example comprise a measurementof signal strength (e.g. RSSI), time of flight (ToF), angle of arrival(AoA), and/or any other property that varies with distance or location.

In a network centric approach, the mobile device 8 broadcasts a signaland the anchor nodes 6 listen, detecting an instance of the signal atone or more of those nodes 6 that are currently in range. In this casethe mobile device 8 may broadcast its signal repeatedly, e.g.periodically (at regular intervals). The respective measurement taken ofeach instance of the signal from the mobile device 8 may comprise ameasure of signal strength (e.g. RSSI) or time of flight (ToF), angle ofarrival (AoA), and/or any other property that varies with distance orlocation. In an example of a hybrid approach, the nodes 6 may take themeasurements but then send them to the mobile device 8, or the mobiledevice 8 may take the measurements but send them to the location server14.

There are various options for the manner in which such measurements arestarted and conducted. For example, either the mobile device mayinitiate the transmission upon which the measurement is based, or thenetwork may initiate the transmission. Both are possible, but it mayhave some impact how the rest of the process is implemented, inparticular for time-of-flight measurements.

Time-of-flight measurements can be obtained by establishing either a oneway transmission delay or a two-way transmission delay (round trip time,RTT). A measurement of one-way delay can suffice if all relevantelements in the network have a synchronized clock or can reference acommon clock. In this case the mobile device 8 may initiate themeasurement with a single message transmission, adding a timestamp (timeor time+date) of transmission to the message. If on the other hand themeasurement is not based on a synchronized or common clock, the anchoror reference nodes 6 can still perform a measurement by bouncingindividual messages back from the mobile device 8 and determining theround-trip time-of-flight. The latter may involve coordination from thenodes attempting to measure.

In the case of signal strength measurements, there are also differentoptions for implementing these. The determination of distance fromsignal strength is based on the diminishment of the signal strength overspace between source and destination, in this case between the mobiledevice 8 and anchor or reference node 6. This may for example be basedon a comparison of the received signal strength with a-prior knowledgeof the transmitted signal strength (i.e. if the nodes 6 or mobile device8 are known or assumed to always transmit with a given strength), orwith an indication of the transmitted signal strength embedded in thesignal itself, or with the transmitted signal strength beingcommunicated to the node 6 or device 8 taking the measurement node 6 viaanother channel (e.g. via location server 14).

Any one or a combination of these approaches or others may be applied inconjunction with the system disclosed herein. Whatever approach ischosen, once such a signal measurement is available from or at each of aplurality of the anchor nodes 6, it is then possible to determine thelocation of the mobile device 8 relative to the location network 4 usinga technique such as trilateration, multilateration, triangulation and/ora fingerprint based technique.

In addition, the “absolute” locations of the anchor nodes 6 (or moregenerally reference nodes) are known, for example from a locationdatabase maintained by the location server 14, or by the respectivelocation of each anchor node 6 being stored at the node itself (e.g. andcommunicated from each relevant nodes to the mobile device 8 in a devicecentric approach). The absolute location is a physical location of thenode in physical environment or framework, being known for example interms of a geographic location such as the location on a globe or a map,or a location on a floorplan of a building or complex, or any real-worldframe of reference.

By combining the relative location of the mobile device 8 with the knownlocations of the anchor nodes 6 used in the calculation, it is thenpossible to determine the “absolute” location of the mobile device 8.Again the absolute location is a physical location of the device inphysical environment or framework, for example a geographic location interms of the location on a globe or a map, or a location on a floorplanof a building or complex, or any more meaningful real-world frame ofreference having a wider meaning than simply knowing the locationrelative to the location network 4 alone.

In embodiments, the absolute location of the nodes 6 may be stored in ahuman understandable form and/or the absolute location of the mobiledevice 8 may be output in a human understandable form. For example, thismay enable the user 10 to be provided with a meaningful indication ofhis or her location, and/or may enable the administrator of alocation-based service to define rules for granting or prohibitingaccess to the service or aspects of the service. Alternatively it ispossible for the location of the nodes 6 and/or mobile device 8 to onlyever be expressed in computer-readable form, e.g. to be used internallywithin the logic of the location based service.

In other embodiments it is not excluded that the location is only everexpressed relative to the location network 4, 6 and not as a moremeaningful “absolute” location. For example if each anchor node 6 isintegrated or co-located with a respective luminaire and the location isbeing determined for the purpose of controlling those luminaires, thenin some embodiments it may only be necessary to determine the user'slocation relative to the framework of points defined by the anchor nodesof these luminaires (though in other similar arrangements it may stillbe desired to define lighting control regions relative to the floorplanof a building or the like).

In a device centric approach the mobile device 8 looks up the locationsof the relevant nodes 6 by querying the location server 14 (e.g. via thewireless access point 12), or alternatively may receive the respectivelocation along with the signal from each node 6. The mobile device 8then performs the calculation to determine its own location at thedevice 8 itself (relative to the location network 4 and/or in absoluteterms). In a network centric approach on the other hand, the nodes 6submit the signal measurements they took to the location server 14 (e.g.via the wireless access point 12), and the location server 14 performsthe calculation of the device's location at the server 14 (againrelative to the location network 4 and/or in absolute terms). In anexample of an assisted or hybrid approach, the mobile device 8 may takethe measurements of signals from the nodes 6 but submit them to thelocation server 14 in a raw or partially processed form for thecalculation to be performed or completed there.

Typically a signal measurement is needed from at least three referencenodes, though if other information is taken into account then it issometimes possible to eliminate impossible or unlikely solutions basedon two nodes. For example, if the location is assumed to be constrainedto a single level (e.g. ground level or a given floor of a building),the measurement from any one given node 6 defines a circle of points atwhich the mobile device 8 could be located. Two nodes give two circles,the intersection of which gives two possible points at which the mobiledevice 8 may be located. Three nodes and three circles are enough togive an unambiguous solution at the intersection of the three circles(though more may be used to improve accuracy). However, with only twonodes, sometimes it may be possible to discount one of those points asbeing an unlikely or impossible solution, e.g. being a point in an areato which the user 10 does not have access or it is impossible to reach,or a point that is not consistent with a plotted trajectory (path) ofthe user 10 (elimination by “dead reckoning”). Similar comments may bemade in relation to three-dimensional positioning: strictly four nodesdefining four spheres are required to obtain an unambiguous solution,but sometimes an estimate may be made based on fewer nodes if additionalinformation can be invoked. Assuming the user 10 is constrained to aparticular level to constrain to a two-dimensional problem is an exampleof such information. As another example, it may be assumed the user 10is found on one of a plurality of discrete floors, and/or a deadreckoning type approach may be used to eliminate unlikely jumps in theuser's route.

By whatever technique the location is determined, this location may thenbe used to assess whether the mobile device 8 is granted access to somelocation-based service or other such function. To this end, there isprovided a service access system 16 configured to conditionally grantaccess to the service in dependence on the absolute location of themobile device 8. In a device centric approach the mobile device 8submits its determined absolute location (e.g. in terms of globalcoordinates, map coordinates or coordinates on a floor plan) to theservice access system 16 over a connection via the wireless access point12 or other means such as a cellular connection. The service accesssystem 16 then assesses this location and grants the mobile device 8with access to the service on condition that the location is consistentwith provision of the service (and any other access rules that happensto be implemented, e.g. also verifying the identity of the user 10). Ina network centric approach, the location server 14 submits thedetermined absolute location of the mobile device 8 to the serviceaccess system 16, e.g. via a connection over a local wired or wirelessnetwork and/or over a wide area network or internetwork such as theInternet. Alternatively the location server 14 may send the absolutelocation to the mobile device 8, and the mobile device may then forwardit on to the service access system 16. In another alternative theservice could be provided directly from the location server 14, or couldeven be implemented on an application running on the mobile device 8itself.

The following are some examples of location-related services orfunctions that may be provided in accordance with embodiments of thepresent disclosure:

allowing control of a utility such as lighting from an applicationrunning on the mobile device 8, where the user can only control thelighting or utility in a given room or zone when found to be located inthat room or zone, or perhaps an associated zone;

providing a navigation service such as an indoor navigation service tothe mobile device 8 (in which case the location-related functioncomprises at least providing the device's absolute location to anapplication running on the mobile device 8, e.g. which the applicationmay then use to display the user's location on a floor plan or map);

providing location based advertising, alerts or other information to themobile device 8, e.g. providing the device 8 with information onexhibits as the user 10 walks about a museum, providing the device 8with information about products as the user 10 walks about a shop ormall, providing the device 8 with access to medical data only if presentinside a hospital or specific zone within a hospital, or providing thedevice 8 with access to complementary media material only if presentphysically within a movie theatre or the like; and/or

accepting location dependent payments from the mobile device oncondition that the device 8 is present in a certain region, e.g.payments in shops, payment of road tolls, “pay as you drive” car rental,or entrance fees to venues or attractions.

For instance, in embodiments the service access system 16 is configuredto control access to a lighting network installed or otherwise disposedin the environment 2. In this case the environment 2 comprises aplurality of luminaires (not shown) and a lighting control systemcomprising the access system 16. The luminaires may for example beinstalled in the ceiling and/or walls, and/or may comprise one or morefree standing units. The luminaires are arranged to receive lightingcontrol commands from the controller. In embodiments this may also beachieved via the wireless access point 12 using the same radio accesstechnology that the anchor nodes 6 and/or mobile device 8 use tocommunicate with the wireless access point 12, and/or the same radioaccess technology used to communicate the signals between the mobiledevice 8 and anchor nodes 6 in order to take the location measurements,e.g. Wi-Fi or Zigbee. Alternatively the lighting controller maycommunicate with the luminaires by other means, e.g. a separate wired orwireless network. Either way, the access system 16 of the lightingcontroller is configured with one or more location dependent controlpolicies. For example, a control policy may define that a user 10 canonly use his or her mobile device 8 to control the lights in certainregion such as a room only when found within that region or within acertain defined nearby region. As another example control policy, themobile device 8 only controls those luminaires within a certain vicinityof the user's current location.

Note that FIG. 2 shows arrows in all directions to illustrate thepossibility of either device centric or network centric approaches, butin any given implementation not all the communications shown need bebidirectional or indeed present at all. The techniques disclosed in thefollowing may be applied in any of a device centric, network centric orassisted (hybrid) arrangement.

In a device centric scenario, the device 8 being positioned receivesbeacon signals from location network beaconing nodes 4 to calculate itsposition either at the positioned device itself or with the help ofadditional data from a location server 14. A problem is that an attackercould install their own rogue beacon or anchor node(s) into the locationnetwork 4 to spoof signals that are measured by the positioned device 8.This can lead to the positioned device 8 calculating a location foritself which is not true. Even in a network centric case, it ispotentially possible that a malicious party could find a way to connecta rogue node to the network 4, which would report false measurements tothe location server 14. E.g. one way that this could happen is if theinterface between the anchor nodes 6 and the location server 14 is notauthenticated or is hacked.

Such rogue nodes could be used by the attacker to either launch adenial-of-service (DoS) attack, or more sophisticated attacks wherebythe attacker could trigger pre-determined responses from the positioneddevice 8 and/or service access system 16. Some examples of suchsophisticated attacks include (but are not limited to) triggering analarm for assets that might be falsely detected as being outside theirintended zone, navigating an automated driving vehicle in a warehouse inthe wrong direction to cause damage, controlling lights erratically tocause distress or harm, or disruption of other location based services.

This following provides solutions to identify fake localization beaconsand to provide assurances that any location that is calculated is thetrue location (to within a reasonable degree of certainty and accuracy).

FIG. 3 shows an arrangement in which a first anchor node 6 a isconfigured to vouch for one or more other anchor nodes 6 b. Each of thefirst and other nodes 6 a, 6 b is configured to wirelessly transmit orreceive a respective beacon signal on a first wireless channel 21, e.g.a local radio channel using a radio access technology such as Wi-Fi,ZigBee or Bluetooth, as already discussed above. In a device centricapproach or certain hybrid approaches, the respective beacon signal isthe signal transmitted from the respective node 6 a, 6 b. In a networkcentric approach or certain other hybrid approaches, the respectivesignal is a respective instance of the signal transmitted by the mobiledevice 8. In addition to the main beaconing functionality, at least thefirst node 6 a is configured to wirelessly transmit information 25vouching for one or more other nodes 6 b as being known to the system.I.e. this information identifies one or more other nodes 6 b which thefirst node 6 a reports as being trusted for use in the localization.

In embodiments, the information 25 vouching for the vouched-for othernodes 6 b is broadcast by the first node 6 a, so that it can be receivedby any mobile devices 8 (network centric or hybrid) or second nodes 6(network centric or hybrid) that happen to be in range.

The information 25 vouching for the other nodes 6 b is preferablytransmitted on a second, or “out-of-band” channel 23 which is differentthan the first wireless channel 21. This may be a channel using adifferent frequency, a different radio access technology, or a differentmedium (e.g. different type of radiation such as a different region ofthe EM spectrum). For example the first channel may be implemented usinga short-range (unlicensed) radio access technology such as Wi-Fi, ZigBeeor Bluetooth; while the second channel 23 may be implemented using codedlight (visible spectrum communication), infrared, or a near-fieldcommunication (NFC) radio technology such as an RFID technology (as usedin RFID tags). Examples will be discussed in more detail below.

Note that in embodiments, one or more other nodes 6, 6 b may also beconfigured in a similar manner to the described first node 6 a. Thisincludes embodiments where the “first” node 6 a may be one of the“other” nodes from the perspective of one or more of the “other” nodes(each of which is a “first” node from its own perspective), such thatthe nodes 6 are arranged to mutually vouch for each other in a networkof trust.

As shown in FIG. 3, in a device centric or certain hybrid approaches,the information 25 vouching for the other nodes 6 b is received and madeuse of by the mobile device 8. As well as performing the localization,the mobile device 8 is configured to process the information 25 todetermine whether any of the anchor nodes 6 it is encountering in theenvironment 2 are not amongst those vouched for by the information 25received from one or more first nodes 6 a. Such unvouched-for nodes maythus be determined to be rogue nodes (with some degree of certainty,i.e. being at least suspected rogue nodes). There are at least twopossible courses of action in response to detecting such rogue nodes.One option is for the mobile device 8 to refrain from using any nodesidentified as rogue in the localization (i.e. refrain from using anybeacon signals from the identified rogues), instead selecting only thosevouched-for in the localization calculation (i.e. only usingmeasurements of beacon signals to or from the vouched-for nodes, e.g.only including these in the triangulation, trilateration,multilateration or fingerprint-based calculation). Alternatively oradditionally, the mobile device 8 may report the identified rogues to alocation server 14 or other administrative computer system, so that anoperator of the location network 6 can investigate further whether theseare indeed rogues, and if so remove or nullify them.

In a network centric approach or certain other hybrid approaches (notshown in FIG. 3), the information 25 is received by one or more secondnodes 6 of the location network and forwarded to a location server 14 tobe used there. These second nodes could be nodes amongst those vouchedfor by the transmitted information 25, or could be yet further nodes ofthe network 6. Or as another option, the information 25 could bereceived by the mobile device 8 but forwarded to the location server 14to be used there. In such cases, as well as performing the localization,the location server 14 is configured to process the information 25 todetermine whether any of the anchor nodes 6 from which it has receivedbeacon measurements are not amongst those vouched for by the information25 received from one or more first nodes 6 a. Such nodes may thus bedetermined to be rogue nodes (again with some degree of certainty, i.e.being at least suspected rogue nodes). As above, there are again twopossible courses of action in response to detecting such rogue nodes:the location server 14 may refrain from using any nodes identified asrogue in the localization (i.e. refrain from using the respective beaconmeasurements), instead selecting only those vouched-for in thelocalization calculation (i.e. only using measurements of beacon signalsto or from the vouched-for nodes); and/or the server 14 may record theidentified rogues or report them to another administrative computersystem, so that an operator of the location network 6 can investigatefurther whether these are indeed rogues, and if so remove or nullifythem.

FIG. 4 gives a block diagram of one of the anchor nodes 6 and thelocation server 14. The anchor node 6 comprises a first wirelessinterface 30 for transmitting or receiving the beacon signal on thefirst channel 21. In embodiments, the information 25 vouching for theone or more other anchor nodes 6 may also be transmitted on this same,first channel 21. Alternatively, the anchor node 6 may comprise a secondwireless interface 32 for transmitting the vouching information 25 on asecond channel 23. In the latter case, the second channel is distinctfrom the first channel in that either: (a) the second channel uses adifferent frequency than the first channel, (b) the second channel usesa different radio access technology than the first channel, and/or (c)the second channel uses a different medium than the first channel (i.e.different types of carrier, e.g. different regions of theelectromagnetic spectrum, or even different types or radiation).Preferably the second channel uses a technology requiring aline-of-sight between the mobile device and the first wireless node(while the first channel does not necessarily), or the second channel issubstantially shorter range than the first channel (requires immediatephysical proximity between the mobile device and the second wirelessnode, while the first channel does not).

If the second channel 23 is used, the two interfaces 30, 32 may be twoseparate physical interfaces, e.g. the first interface 30 being a radiotransmitter or receiver, and the second interface 32 being a coded lightemitter or NFC transmitter (e.g. RFID tag). Alternatively the twointerfaces 30, 32 could comprise the same physical interface, and beimplemented as two logical interfaces, e.g. using different frequenciesof the same radio access technology.

The anchor node 6 is also configured to communicate with the locationserver 14. In embodiments this communication may also be performed viathe first interface 30, and the wireless access point 12; but that isnot necessarily the case in all embodiments, e.g. a wired connectionwith the location server 14 could alternatively be used.

FIG. 5 gives a block diagram of the mobile device 8. The device 8comprises a first wireless interface 30′, and optionally a secondwireless interface 32′. The first interface 30′ is a complementaryinterface to the first interface 30 of the anchor nodes 6, for receivingthe beacon signals from the anchor nodes 6, and in embodiments also thevouching information 25. If present, the second wireless interface 32′is a complementary interface to the second interface 32′ of the anchornodes 6, as an alternative means for receiving the vouching information25. The two interfaces 30′, 32′ may again be two separate physicalinterfaces, e.g. the first interface 30′ being a radio transmitter orreceiver, and the second interface 32′ being a coded light or NFCreceiver. Alternatively the two interfaces 30, 32 could comprise thesame physical interface, and be implemented as two logical interfaces,e.g. using different frequencies of the same radio access technology.

In embodiments, the first channel 21 uses a local radio technology suchas Wi-Fi, ZigBee or Bluetooth; and the first interface 30, 30′ is aradio transmitter or receiver for transmitting or receiving therespective beacon signal, and optionally the vouching information, overthe first channel according to the local radio technology of the firstchannel.

If the vouching information 25 is instead transmitted over a separate,second channel 23 instead of the first channel, in embodiments thesecond channel takes the form of a near-field communication channelrequiring immediate physical proximity between the two complementarysides 32, 32′ of the second interface, and therefore between the anchornode 6 and the mobile device 8. Preferably this immediate physicalproximity means less than or equal to 20 cm between the transmit andreceiving interfaces 32, 32′; or less than or equal to 10 cm between thetransmit and receiving interfaces 32, 32′; or less than or equal to twowavelengths of the second channel's carrier between the transmit andreceiving interfaces 32, 32′; or less than or equal to one wavelength ofthe second channel's carrier between the transmit and receivinginterfaces 32, 32′. For example, the second channel may be implementedwith a near-field radio technology, e.g. the second interface 32 of theanchor node 6 taking the form of an RF tag and the second interface 32′of the mobile device 8 being configured to energize the RF tag 32 andreceive the relevant signal back from the tag as a result.

In another example, at least one of the anchor nodes is incorporatedinto a respective luminaire, and the second channel is a coded lightchannel embedded into the light emitted by the luminaire. In this casethe second interface 32 of the anchor node takes the form of a lightsource of the respective luminaire, and the second interface 32′ on themobile device 8 takes the form of a coded light detector such as aphotocell or camera plus associated signal processing software orcircuitry.

In a device centric or some hybrid approaches, the mobile device 8comprises a location module 36 for performing the localizationcalculation based on the beacon signals from the anchor nodes 6(according to techniques already discussed), and also a security module34. The security module 34 is configured to process the information 25received from one or more of the anchor nodes 6 vouching for one or moreothers of the nodes, and to act accordingly: either selecting onlytrusted nodes to be used in the localization by the localization module,and/or reporting rogue nodes to the location server 14.

In a network centric or other hybrid approaches, the localization module36 and security module 34 are implemented at the location server 14. Thefollowing embodiments will be described in terms of a device centricapproach, but it will be appreciated that corresponding techniques maybe applied by analogy to a network centric or hybrid approach.

During the setup of the location network, each anchor node 6 is providedwith identifiers of other anchor nodes 6 which are part of the trustedlocation network 4. This list of other anchor nodes in the locationnetwork is advertised in the report 25 transmitted by each anchor node 6to the positioned device 8. I.e. the information 25 vouching for theother nodes 6 b takes the form of a list of identifiers of those othernodes, identifying them as trusted for use in performing localizationcalculations based on their respective beacon signals. This may bereferred to herein as the “vouching information”, “vouching report” orsimply the “list”. The positioned device 8 uses this list to identifyanchor nodes 6 that have been vouched for by each other and hence has anauthentic list of anchor nodes to calculate the true location withcertain assurance.

The list 25 may take any format that can be understood by the securitymodule, e.g. plain text, XML or JSON. The node IDs in the list may betransmitted in “bare” (unencrypted) form, or to provide additional trustit could optionally be digitally signed or encrypted. The IDs could beMAC addresses or any other unique number that can be used to look up theposition of the anchor nodes from an assistance data.

In another example, in a device centric case or an assisted case wherethe location server 14 receives the beacon signals via the mobile device8, if the beacon signals are digitally signed then the list 25transmitted by each node 6 may comprise a respective digital certificatefor each of the other trusted nodes 6 (either in addition to the plainIDs of those nodes, or as the sole means of identification). Therespective certificate can then be used by the security module 34 toauthenticate the respective beacon signal of each of the vouched-fornodes 6.

In embodiments, the list 25 may additionally include an indication as towhich location server or beacon group each of the identified nodes inthe list belong to, which the location module 36 can use to decide whichnodes to use in the location calculation.

In embodiments, the list 25 transmitted by each node 6 may vouch for allthe other nodes 6 that are trusted in the system, or alternatively onlya reduced set of anchor nodes is vouched for in the list (fewer than thetotal number in the network 4 in question). In the case of a reducedlist, this subset may be based for example on: the indoor layout plan,the usual navigation patterns of the particular device 8 beinglocalized, and/or patterns of normal use of devices in general in thespace. Transmitting the identifiers of all other anchor nodes 6 in thelocation network 4 may only be viable in small location networks, as thelist of identifiers can get large and can consume a large bandwidth ifadvertised from each anchor node. Therefore to overcome this, inembodiments the anchor nodes 6 may each only advertise a subset of theanchor nodes. This subset that each node 6 a transmits is based on thelocation of other anchor nodes 6 b within an indoor layout map or thelike, or their position relative to the node 6 a. I.e. an anchor node 6transmits identities of only those (trusted) nodes within a certainvicinity and/or those that are required based on the layout (e.g. otheranchor nodes in the same room).

For example, to enable a chain of anchor nodes that can trusted based onthe overlap of anchor node lists advertised by different anchor nodes, atypical navigation path of positioned devices within the building may bepredicted (e.g. based on a-priori information on expected user behaviorand the building layout, or a known navigation path if the user hasindicated his or her end point). This may then be used to identifyoverlapping anchor nodes that are to be advertised to obtain suitablecoverage. In this case, the nodes 6 within the relevant vicinity of eachrespective node (and therefore the nodes to be advertised by that node)comprise only those nodes within a predetermined vicinity along thepredicted navigation path.

As mentioned, there are also different possibilities for the response ofthe security module 34 in response to identifying one or more roguenodes. One possible countermeasure is to selectively filter from thelocalization any signals from the beacon nodes that are judged, based onone or more of above the techniques, as not being part of the reallocation network 4. If a positioned device 8 detects signals from(supposed) anchor nodes that cannot be authenticated as being part ofthe location network 4, then its security module 34 can selectivelyfilter those signals from the location calculations. The selectivefiltering may completely exclude signals from untrusted anchor nodesthat are not vouched-for, or alternatively give them a lower weightingso that they do not influence the final location calculation beyond acertain degree.

Another possibility is that the security module 34 triggers an alert tothe location server 14 or other entity (e.g. computer system of anadministrator), altering it about the observance or suspicion of spoofednodes based on one or more of the above techniques. Unlike the casewhere the positioned device 8 just filters out signals from the roguenodes, in this variant the positioned device 8 takes active steps toinform one or more other entities of the presence of such rogue nodes.

In further embodiments, the vouching processes may be securelybootstrapped or cross-checked with the use of an alternative or“out-of-band” channel to the positioned device (e.g. a coded-light orRFID channel).

To implement this, the system comprises a transmitter configured totransmit to the mobile device 8 on a second channel other than the firstchannel used for the beacons signals. This transmitter may beincorporated into one or more of the anchor nodes 6, and if the vouchinglist 25 is transmitted on the second channel 23 rather than the firstchannel, this transmitter may be the same second wireless interface 32used to transmit the vouching list 25, using the same second channel 23.Alternatively, as illustrated in FIG. 6, the transmitter now describedmay be separate transmitter 38 disposed at some convenient place in theenvironment 2 so that it can be read by the mobile device. In the lattercase, the transmitter 38 may transmit on the same type of second channelas used by the anchor nodes 6 in some embodiments to transmit thevouching list 25, or the transmitter 38 may transmit on a different typeof second channel.

Either way, the second channel now discussed is again distinct from thefirst channel used for the beacon signals in that either: (a) the secondchannel uses a different frequency than the first channel, (b) thesecond channel uses a different radio access technology than the firstchannel, and/or (c) the second channel uses a different medium than thefirst channel (i.e. different types of carrier, e.g. different regionsof the electromagnetic spectrum, or even different types or radiation).Preferably the second channel uses a technology requiring aline-of-sight between the mobile device and the first wireless node(while the first channel does not necessarily), or the second channel issubstantially shorter range than the first channel (requires immediatephysical proximity between the mobile device and the second wirelessnode, while the first channel does not).

In one embodiment, this second channel again takes the form of anear-field communication channel requiring immediate physical proximitybetween the transmitter 38/32 and a complementary receiver 32′ in themobile device. Again, preferably this immediate physical proximity meansless than or equal to 20 cm between the transmit and receivinginterfaces 32, 32′; or less than or equal to 10 cm between the transmitand receiving interfaces 32, 32′; or less than or equal to twowavelengths of the second channel's carrier between the transmit andreceiving interfaces 32, 32′; or less than or equal to one wavelength ofthe second channel's carrier between the transmit and receivinginterfaces 32, 32′. For example, the second channel may be implementedwith a near-field radio technology, e.g. the transmitter 38/32 takingthe form of an RF tag and the corresponding receiver 32′ of the mobiledevice 8 being configured to energize the RF tag 32 and receive therelevant signal back from the tag as a result.

In another example, the second channel may again be a coded lightchannel embedded into the light emitted by a luminaire. In this case thetransmitter 38/32 takes the form of a light source of the respectiveluminaire, and the corresponding receiver 32′ on the mobile device 8takes the form of a coded light detector such as a photocell or cameraplus associated signal processing software or circuitry.

As illustrated in FIG. 6, the transmitter 38/32 is preferably disposedat an entrance to the room, building or zone 2 in which the locationnetwork 4, 6 is installed. In the case of a stand-alone transmitter 38separate from the anchor nodes 6, this could take the form of an RF taglocated by the door (e.g. on the wall by the door), which the mobiledevice 8 can read by swiping or touching against it upon entering theroom, building or zone.

Alternatively the transmitter 38 could take the form of a luminaire ordedicated communication light (e.g. an LED) disposed near the door, fromwhich the mobile device 8 can read a coded light signal upon enteringthe room, building or zone. In the case of a transmitter 32 incorporatedinto one of the anchor nodes 6, this could be a nominated one of theanchor nodes 6 disposed at the entrance (e.g. by the door) in similarmanner discussed in relation to the stand-alone transmitter 38, allowingthe mobile device to swipe or touch the node 6 or receive coded lightfrom its respective light source upon entry into the room, building orzone. Note also that although preferred, it is not essential that thetransmitter 38/32 for this second channel is placed by the entrance.Alternatively it could be placed at a convenient landmark, meeting pointor terminal where a user is likely to begin (for example) a route, tour,working day, or work or leisure session.

There are a number of possible uses of this second channel to supportthe vouching process (as opposed to being the means by which thevouching between the anchor nodes 6 is implemented, or as opposed toonly being the means by which the vouching between the anchor nodes 6 isimplemented). These embodiments apply in a device centric case where themobile device receives the data from the second channel, or an assistedcase where the location server receives the data from the second channelvia a corresponding receiver on the mobile device.

A first example is to provide an initial list of trustworthy nodes 6.Without an additional mechanism, rogue anchors could potentially also beinstalled that advertise a rogue list of other rogue nodes, thusundermining the vouching process set out above. Therefore it may bedesirable for the mobile device 8 to be able to differentiate the roguelist from the authentic list. To overcome this, in embodiments aninitial list of authentic nodes 6 can be bootstrapped to the positioneddevice 8 using the “out-of-band” mechanism provided by the transmitter38/32 (out-of-band in that it uses a different channel than the first,beaconing channel). For example this could be implemented by means ofcoded-light or an RFID tag, located at strategic positions within theindoor facility based on the layout (e.g. at the entrances). Theout-of-band communicated anchor nodes list enables trust in other nodesthat this set of authentic nodes advertises, thereby creating achain-of-trust. I.e. when the mobile device 8 first enters theenvironment (or first begins localization) it reads the initial listfrom the out-of-band transmitter 38/32 and only uses anchor nodes 6known to be trusted from this initial list. From then onwards, if one ofthe nodes 6 on the initial list vouches for a further node 6 that wasnot on the initial list, the mobile device can then trust that furthernode for use in subsequent localizations, and so forth.

This out-of-band communicated list of anchor node identifiers can alsobe used after the initial bootstrapping to cross-check the list beingadvertised presently by the beacon nodes. Hence these out-of-bandmechanisms based on coded-light or RFID can be installed at differentlocations in the building and can be used when desired by the positioneddevice to get additional confidence in the beacon nodes being used forlocalization.

In another example, the “out-of-band” second channel (e.g. coded-light,RFID etc.) can alternatively or additionally be used to securelybootstrap other configuration parameters that it may be desired tosecurely convey to the mobile device in order to ensure true location.Such parameters could include for example which location network to use(e.g. the SSID of the Wi-Fi network to use) or the location server touse for a particular indoor facility. Such bootstrapping can beperformed as in the previous embodiment by strategically placing theout-of-band mechanisms based on the indoor layout, e.g. at theentrances. This out-of-band mechanism can also be used to cross-checkpresent parameters that are in use by having out-of-band mechanisminstalled at different locations in the building.

In another example, the “out-of-band” second channel (e.g. coded-light,RFID etc.) may alternatively or additionally be used to securelybootstrap or cross-check the current location.

The transmitter 38/32 (e.g. coded-light or RFID) advertises its ownlocation and therefore the approximate current location of the mobiledevice 8, assuming the out-of-band mechanism (i.e. second channel) ofthe transmitter 38/32 is only able to communicate within a smallpre-defined physical space (e.g. directly below or in the vicinity ofthe coded-light lamp, or touching against or swiping past the RFID tag).This true location can then be used by the location module 36 tobootstrap (for efficiency reasons) and/or to cross-check the locationthat is being calculated based on the signals from the beacon nodes.

In the case of bootstrapping the location, the mobile device 8 obtainsthe location of the transmitter 38/32 via the second channel, whichprovides an approximate position of the mobile device 8 due to thenature of the second channel. The location module 36 takes this as aninitial location fix, then continue to track the location based on thelocalization performed using the anchor nodes 6. This can increase theefficiency of the localization, as the there is no need to wait for theinitial location fix to be calculated from the anchor nodes 6 based onthe triangulation, trilateration, fingerprinting or the like (otherwisestarting from a “cold start”, the first fix takes additional time).

In the case of verifying the location calculation, the mobile device 8again obtains the location of the transmitter 38/32 via the secondchannel, but in this case at some later time after the firstlocalization; and the location module 36 takes this as an approximate“true” location of the mobile device 8. The location module 36 can thencompare the true location reported by the out-of-band transmitter 38/32over the second channel with the result of the localization it hasperformed based on the beacon signals from the anchor nodes 6 receivedover first channel based, and thereby determine whether consistent withthe location of node reported on second channel. If not, thisdetermination could be used to update or recalibrate the locationcalculation; or could be taken by the security module 34 as anotherindication that rogue nodes may be present.

Another possible application of the “out-of-band” second channel iswhere the security module 34 triggers an alert to about the observanceor suspicion of rogue nodes based on one or more of the abovetechniques. The alert will be sent to a location server or to anotheradministrative entity of the location network 6, but this requiresknowledge of how to contact such a trusted entity (e.g. an address orother ID). The nodes 6 could be preconfigured with, but if not, anotherpossible way to transfer this knowledge can be using the “out-of-bandmechanism 38/32 (i.e. second channel) described above (e.g. RFID tag orcoded light).

It will be appreciated that the above embodiments have been describedonly by way of example. Other variations to the disclosed embodimentscan be understood and effected by those skilled in the art in practicingthe claimed invention, from a study of the drawings, the disclosure, andthe appended claims. In the claims, the word “comprising” does notexclude other elements or steps, and the indefinite article “a” or “an”does not exclude a plurality. A single processor or other unit mayfulfill the functions of several items recited in the claims. The merefact that certain measures are recited in mutually different dependentclaims does not indicate that a combination of these measures cannot beused to advantage. A computer program may be stored/distributed on asuitable medium, such as an optical storage medium or a solid-statemedium supplied together with or as part of other hardware, but may alsobe distributed in other forms, such as via the Internet or other wiredor wireless telecommunication systems. Any reference signs in the claimsshould not be construed as limiting the scope.

1. A first wireless node for use in a network of wireless nodes, forperforming a localization to determine a location of a mobile devicebased on respective beacon signals transmitted wirelessly between themobile device and each of a plurality of the wireless nodes; the firstwireless node being configured to: wirelessly transmit or receive therespective beacon signal for use in determining the location of themobile device; and wirelessly transmit information vouching for one ormore others of the wireless nodes as being trusted for use in saidlocalization, said information being transmitted to a device performingthe localization for use in identifying one or more rogue versions ofsaid wireless nodes.
 2. The first wireless node of claim 1, comprising afirst interface configured to transmit or receive the respective beaconsignal on a first wireless channel, and a second interface configured totransmit said information vouching for the other wireless nodes on asecond channel; wherein: the second channel is on a different frequencythan the first channel, the second channel uses a different radio accesstechnology than the first channel, the second channel uses a differentphysical medium than the first channel, the second channel requires aline-of-sight while the first channel does not, and/or the secondchannel has a substantially shorter range than the first channel.
 3. Thefirst wireless channel of claim 2, wherein the first channel is a radiochannel.
 4. The first wireless node of claim 2, wherein at least thefirst node is incorporated with a respective luminaire and the secondchannel uses coded light embedded in illumination emitted by theluminaire.
 5. The first wireless node of claim 2, wherein the secondchannel uses a near-field radio technology.
 6. The first wireless nodeof claim 2, wherein the device performing the localization is the mobiledevice, or the device performing the localization is a location serverthat receives said information via the mobile device; and, as well astransmitting said information vouching for the one or more other nodes,the first wireless node is further configured to use the second channelto additionally transmit to the mobile device: an identifier of thenetwork to be used to perform the localization; and/or a location of thefirst wireless node, for verifying said localization, or for obtainingan initial fix of the mobile devices' location before continuing totrack the mobile device's location based on said localization.
 7. Thefirst wireless node of claim 1, wherein the first wireless node, isconfigured to transmit said information on a same wireless channel asused to transmit or receive the respective beacon signal.
 8. The firstwireless node of claim 7, wherein: the first wireless node comprises afirst interface configured to transmit or receive the respective beaconsignal on a first wireless channel, the information vouching for the oneor more other nodes, also being transmitted on the first channel; saidinformation is transmitted by the first wireless node in a formencrypted or signed with a digital signature; the first wireless nodecomprises a second interface configured to transmit, over a secondchannel a public key for decrypting the encryption or a certificate forverifying the digital signature, wherein the second channel: is on adifferent frequency than the first channel, uses a different radioaccess technology than the first channel, uses a different physicalmedium than the first channel, requires a line-of-sight while the firstchannel does not, and/or has a substantially shorter range than thefirst channel.
 9. The first wireless node of claim 1, wherein saidinformation vouches for only subset of the wireless nodes, the subsetconsisting of those of the wireless nodes that are trusted by the firstwireless node and within a predetermined proximity of said firstwireless node.
 10. The first wireless node of claim 9, wherein thesubset comprises only those of the wireless nodes that are trusted andwithin a predetermined proximity along a predicted navigation path ofthe mobile device.
 11. The first wireless node of claim 1, wherein thedevice performing the localization is the mobile device which receivessaid information via a receiver of the mobile device, or the deviceperforming the localization is a location server which receives saidinformation via a second one of said wireless nodes or via the mobiledevice.
 12. A mobile device for use in a network of wireless nodes, forperforming a localization to determine a location of the mobile devicebased on respective beacon signals transmitted wirelessly between themobile device and each of a plurality of the wireless nodes; the mobiledevice comprising: one or more wireless interfaces configured towirelessly transmit or receive the respective beacon signals for use indetermining the location of the mobile device, and to wirelessly receiveinformation from a first one of the wireless nodes vouching for one ormore others of the wireless nodes as being trusted for use in saidlocalization; a location module configured to perform said localization;and a security module configured to identify one or more rogue versionsof said wireless nodes based on said information.
 13. A systemcomprising: a network of wireless nodes, for performing a localizationto determine a location of a mobile device based on respective beaconsignals transmitted wirelessly between the mobile device and each of aplurality of the wireless nodes; and the mobile device and/or a locationserver; wherein each of the wireless nodes is configured to wirelesslytransmit a respective report vouching for one or more others of thewireless nodes as being trusted for use in said localization; whereinthe mobile device is configured to receive one or more of said reports,or the location servers is configured to receive one or more of saidreports via at least one receiving one of said wireless nodes or via themobile device; and wherein the mobile device or location servercomprises a location module configured to perform said localization, anda security module configured to identify one or more rogue versions ofsaid wireless nodes based on one or more of said reports.
 14. The mobiledevice of claim 12, wherein the security module is configured to:exclude the identified rogue nodes from use in said localization, orgive the signals from the identified rogue nodes a lower weighting insaid localization relative to the vouched-for nodes.
 15. The mobiledevice of claim 12, wherein the security module is configured to reportthe identified rogue nodes to a location server or administrativeentity.
 16. The system of claim 13, wherein: each of the wireless nodesis configured to transmit or receive the respective beacon signal on afirst wireless channel; the system comprises a transmitter configured totransmit, to the mobile device over a second channel, an initial reportvouching for an initial group of said wireless nodes, wherein the secondchannel is on a different frequency than the first channel, uses adifferent radio access technology than the first channel, uses adifferent physical medium than the first channel, requires aline-of-sight while the first channel does not, and/or has asubstantially shorter range than the first channel; the location moduleis comprised in the mobile device and the mobile device receives theinitial report, or the location module is comprised in the locationserver and the location server receives the initial report via themobile device; and the location module is configured to perform one ormore instances of said localization including at least a first instance,the first instance of the localization being performed based only on therespective beacon signals of ones of those wireless nodes vouched for insaid initial report.
 17. The system of claim 13, wherein: each of thewireless nodes is configured to transmit or receive the respectivebeacon signal on a first wireless channel and the respective reports arealso transmitted on the first channel; the respective reports aretransmitted by each of the wireless nodes in a form encrypted or signedwith a digital signature; and the system comprises a transmitterconfigured to transmit, to the mobile device over a second channel, apublic key for decrypting the encryption or a certificate for verifyingthe digital signature, wherein the second channel: is on a differentfrequency than the first channel, uses a different radio accesstechnology than the first channel, uses a different physical medium thanthe first channel, requires a line-of-sight while the first channel doesnot, and/or has a substantially shorter range than the first channel;the security module is comprised in the mobile device and the mobiledevice receives said public key or certificate, or the security moduleis comprised in the location server and the location server receives thepublic key or certificate via the mobile device; and the security moduleis configured to use the received public key to decrypt the encryption,or to use the received certificate to verify the digital signature. 18.The system of claim 16, wherein the transmitter is placed at an entrypoint to a room, building or zone in which said wireless nodes aredisposed, the transmitter being arranged to transmit said initial reportand/or said certificate or public key over the second channel to themobile device upon passing said entry point.
 19. A computer programproduct for performing a localization to determine a location of amobile device based on measurements of a respective beacon signaltransmitted wirelessly between the mobile device and each of a pluralityof the wireless nodes in a network of wireless nodes; thecomputer-program product comprising code embodied on at least onecomputer-readable medium, and configured so as when retrieved and/ordownloaded and executed on one or more processors to perform operationsof: receiving information from a first one or the wireless nodesvouching for one or more others of the wireless nodes as being trustedfor use in said localization; performing said localization; andidentifying one or more rogue versions of said wireless nodes based onsaid information.